I thought AI governance was about AI?
A regulated operator switches on Copilot. People go straight to their most sensitive, high-value work — and it comes back thin. Sometimes empty. The room decides the tool is broken. It wasn't.
Years earlier, that organisation had made a reasonable protection decision. It wrapped its most sensitive content in the strongest encryption available and kept the keys close. There was no AI in the picture at the time, and nobody revisited the decision when the AI arrived. The assistant did exactly what it was designed to do: it stayed out of content it wasn't allowed into, and everyone read that as failure.
This was the first AI rollout project I joined, expecting to think about models, prompts, and agents, and instead finding a classification problem to solve.
Why more protection can be the thing breaking your AI
Copilot can only read what the signed-in user is already allowed to open. That's the whole security model, and it's a good one. Microsoft's documentation is clear that Copilot doesn't reach anything the user couldn't reach themselves. When encryption is involved, the user needs specific usage rights; EXTRACT and VIEW, before Copilot can do anything with the file.
So your protection settings decide what the AI can see. And one setting, in particular, draws a hard line: Microsoft's Double Key Encryption, or DKE, is built so that Microsoft's own services can't read the content. That is the point of it. Microsoft positions DKE for roughly the top 5% of data, the genuine crown jewels, and states plainly that DKE-encrypted content isn't available to Microsoft 365 services, Copilot included.
Once DKE is on a label, every document carrying that label is invisible to the AI, by design, for good. If that label has spread wider than the crown-jewels 5%, and in my experience, it usually has, you've blinded Copilot across a big slice of your most important content.
Don't get me wrong, the answer isn't to rip out protection. It's to be aware that not all protection costs you the same way. Content encrypted with Microsoft-managed keys, or with your own key through BYOK, stays readable to Copilot. Same protection in most respects, completely different outcome for the AI.
Information protection is AI Governance work
Sorting what content is from who should reach it. Getting a label taxonomy people can apply. Putting access at the container, the site or the team, instead of baking it into every file. Knowing when encryption helps and when it just gets in the way.
That's ordinary information-protection work. Purview practitioners have been doing it for years. The technique isn't new. What's new is the consumer: an assistant that reads on behalf of every user, never gets tired, and inherits their exact permissions. Get the data layer right and the AI behaves. Get it wrong and no AI policy will save you.
The challenge of regulated and critical-infrastructure tenants
In a normal company, "open it up a bit so the AI can reach it" is at least an option on the table. In a regulated operator, where some material is legally required to stay tightly held, that option isn't available. You can't loosen access on content the law says must stay locked. And you can't tell a regulator the AI needed it.
Generic AI-governance advice assumes you can trade a little protection for a little usefulness. Sometimes you can't, and the work becomes about drawing the line precisely: this set cannot be touched, while this much larger set was only locked down out of habit. It's also where rules like the EU AI Act will put real obligations on exactly these high-stakes settings.
What this blog is about
This blog has one goal: take the dry governance layer and make it concrete. Show where the setting lives, what to click, how to check the current state, so you can do the thing rather than nod at the idea.
Here's the first thing you can do this week, in about ten minutes:
- Open the Microsoft Purview portal
- go to Solutions, then Information Protection and then Sensitivity labels,
- count how many of your sensitivity labels apply Double Key Encryption or apply encryption without EXTRACT and VIEW permissions.
While you're there, note any labels that use the "let users assign permissions" option, which also blocks Copilot.
Clicking through every label stops being reliable once you're past a handful. For a sprawling label set, run this instead — the same three checks across every label, with a count at the end:
# Security & Compliance PowerShell - requires the ExchangeOnlineManagement module
Connect-IPPSSession
$report = Get-Label |
Where-Object { $.EncryptionEnabled -eq $true } |
Select-Object DisplayName, Name,
@{ N='DKE'; E={ -not [string]::IsNullOrWhiteSpace($.EncryptionDoubleKeyEncryptionUrl) } },
@{ N='UserDefined'; E={ $.EncryptionProtectionType -eq 'UserDefined' } },
@{ N='MissingViewOrExtract'; E={
if ($.EncryptionProtectionType -ne 'Template') { return $false }
$defs = $.EncryptionRightsDefinitions
$rights = if ($defs -is [string]) { $defs }
else { ($defs | ForEach-Object { $.Rights }) -join ',' }
-not ("$rights".ToUpper() -match 'VIEW' -and "$rights".ToUpper() -match 'EXTRACT')
} }
$report | Sort-Object DKE, UserDefined, MissingViewOrExtract -Descending |
Format-Table DisplayName, DKE, UserDefined, MissingViewOrExtract -AutoSize
$blinding = $report | Where-Object { $.DKE -or $.UserDefined -or $_.MissingViewOrExtract }
"Labels that blind Copilot: {0} of {1} encrypted labels." -f $blinding.Count, $report.CountIf the total feels higher than a crown-jewels handful, you've found your first AI-governance project.
Ohhh thats insight, i learned sooooo much 🫶